• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA 2006 and two Domains

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> ISA 2006 and two Domains Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA 2006 and two Domains - 18.Mar.2009 6:29:31 AM   
isenbuegel

 

Posts: 8
Joined: 2.Mar.2009
From: Duesseldorf Germany
Status: offline
My ISA2006 is part of a Domain (2k3) in a typical class C Networt 192.168.0.1 – 192.168.0.254 . Everything works fine so far.
But my ISA Server has an additional networkadapter in another segment 192.168.20.1 -192.168.20.50.
These computerss are members of another domain which is not known from my ISA.
I need to access pop3 and smtp out of this "strange" network.
The only way to realize pop3 and smpt access is, to add the second networkadapter (ip-range) to the "internal" network, and mirror the "strange user" accounts in the local users of my ISA.

But with this method I have to create a rule "all ports ->internal -> external -> all users".

That’s not like I want it, because I don’t want to open my firewall this far.

I tried another method without success:

Creating a new network called "strange" with the ip-segement 192.168.20.1 -192.168.20.50
Rule: "all ports -> strange->external->all users"
But my users can't access pop3, smpt with this rule (users are still mirrored).  
If I view the logs the ISA says "access denied by rule"    Which rule is meant?  

 
Or is there a way to access pop3 and SMPT anonym out of the strange network?


I think I found the right place here for some good ideas!
Post #: 1
RE: ISA 2006 and two Domains - 18.Mar.2009 8:24:28 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
This should work fine. What sort of relationship have you given the "strange" network? Route or NAT?

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to isenbuegel)
Post #: 2
RE: ISA 2006 and two Domains - 18.Mar.2009 8:29:31 AM   
isenbuegel

 

Posts: 8
Joined: 2.Mar.2009
From: Duesseldorf Germany
Status: offline
Hey thx!

Internetacces NAT

(in reply to SteveMoffat)
Post #: 3
RE: ISA 2006 and two Domains - 18.Mar.2009 8:47:46 AM   
isenbuegel

 

Posts: 8
Joined: 2.Mar.2009
From: Duesseldorf Germany
Status: offline
I dont know if its possible to get access over smpt if the machine or the user is not authentivicate with the ISA server.

Or can I create a role for strange users who are not part of the ISAs Domain?

(in reply to isenbuegel)
Post #: 4
RE: ISA 2006 and two Domains - 18.Mar.2009 9:03:09 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Shouldn't matter unless you try to restrict by group. Basically it's just a DMZ .

Change the Network relationship to route.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to isenbuegel)
Post #: 5
RE: ISA 2006 and two Domains - 18.Mar.2009 9:23:11 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

quote:

The only way to realize pop3 and smpt access is, to add the second networkadapter (ip-range) to the "internal" network, and mirror the "strange user" accounts in the local users of my ISA.

No, you have to add a new Network and bind the "strange" network to it. Make sure users on "strange" network have the IP of ISA stranges´ network configured as their default gateway.

Create an access rule allowing all users group (it means you´re allowing everyone connections, authenticated or not).

If the destination network is External and ISA is your edge firewall, then you should leave the Network Relationship between "strange" Network and External Network as NAT.

Regards,
Paulo Oliveira.

(in reply to isenbuegel)
Post #: 6
RE: ISA 2006 and two Domains - 18.Mar.2009 9:37:53 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Ahhh...I missed that....Cheers Paulo.



_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to paulo.oliveira)
Post #: 7
RE: ISA 2006 and two Domains - 18.Mar.2009 9:55:10 AM   
isenbuegel

 

Posts: 8
Joined: 2.Mar.2009
From: Duesseldorf Germany
Status: offline
hey,
 
I created a new internal network call it "internal_2" , added the "strange" adapter to it.
Added the  internal_2 network under networkrules NAT, now it includes:
 
internal
internal_2
external
Quarantain
VPN-Clients
 
I created a rule "all outgoing " -> from internal_2 -> to -> external -> all users
 
Im able to surf on my strange client, but outlook is still not working.
 
What kind of settings do I have to set on the internal_2 properties "Webproxy" Authentification Method? Now its internal
Authentification is necessary ist not checked
 
Out know that my ISA ist part of the Domain vom "internal"  ?
 
THX!

(in reply to SteveMoffat)
Post #: 8
RE: ISA 2006 and two Domains - 18.Mar.2009 9:56:47 AM   
isenbuegel

 

Posts: 8
Joined: 2.Mar.2009
From: Duesseldorf Germany
Status: offline
Ah,

and do I really need these mirrored users on my local ISA?

(in reply to isenbuegel)
Post #: 9
RE: ISA 2006 and two Domains - 18.Mar.2009 10:07:58 AM   
isenbuegel

 

Posts: 8
Joined: 2.Mar.2009
From: Duesseldorf Germany
Status: offline
one more info,

In my ISA logs, my ISA saied:

"PC from internal_2" - Port 137  - NetBios-Nameservice - access denied"
Rule: defaultrule

(in reply to isenbuegel)
Post #: 10
RE: ISA 2006 and two Domains - 18.Mar.2009 10:51:10 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

quote:

I created a rule "all outgoing " -> from internal_2 -> to -> external -> all users

Im able to surf on my strange client, but outlook is still not working.

What kind of settings do I have to set on the internal_2 properties "Webproxy" Authentification Method? Now its internal
Authentification is necessary ist not checked
 
Out know that my ISA ist part of the Domain vom "internal"  ?

It depenps what kind of authentication you´ll require. Personally I don´t like the idea to mantain mirrored accounts.
If you don´t intend to add these clients to a domain, then I guess RADIUS is your best option for outbound authentication.

quote:

one more info,

In my ISA logs, my ISA saied:

"PC from internal_2" - Port 137  - NetBios-Nameservice - access denied"
Rule: defaultrule

This is normal, you´ll see it all the time. It is just broadcast "noise".

Regards,
Paulo Oliveira.

(in reply to isenbuegel)
Post #: 11
RE: ISA 2006 and two Domains - 23.Mar.2009 7:04:43 AM   
isenbuegel

 

Posts: 8
Joined: 2.Mar.2009
From: Duesseldorf Germany
Status: offline
thanks for your answers!
 
Only that I understand right, there is no way to access pop and smpt through the ISA without authentication?
 
RADIUS is a great idea; do you have a tutorial or some information how to configure a Windows 2008 Domain Controller to a RADIUS Server?
 
With 2003 no problem, but in 2008 everything is different!

(in reply to paulo.oliveira)
Post #: 12
RE: ISA 2006 and two Domains - 25.Mar.2009 11:30:18 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

no. You can use pop and smtp protocols through ISA without authentication. You just have to configure All users group on your access rule.

Regards,
Paulo Oliveira.

(in reply to isenbuegel)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> ISA 2006 and two Domains Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts